If I get the question correctly then my answer would be:
Make sure that the USB storage you get your hands on is not malicious initially.
You can be certain of this if you’ll use some open hardware and open source firmware USB storage for which you can build and flash the firmware yourself. Maybe such devices are already available but otherwise it’ll be cumbersome to make and use but possible.
Or you can protect yourself from a targeted attack and buy the consumer USB storage at some random store by yourself without using delivery. With this you can be almost certain that the USB storage couldn’t be used for a targeted attack on you but you’ll have to live with the probability of this USB storage containing some mass-targeted malware in its firmware.
Make sure that this USB storage firmware can’t be infected while using it.
Always keep USB storage to yourself so other people can’t get a hold of it.
Don’t plug it in any other machine except for your Qubes OS machine where it’ll be used.
Use separate USB controller that will be used only to connect this USB storage and no other USB device will be connected to it.
Maybe I’m not getting the question right.
If that’s the case then can you state some examples of a threat or more details to your question?
Make sure that the USB storage you get your hands on is not malicious initially.
You can be certain of this if you’ll use some open hardware and open source firmware USB storage for which you can build and flash the firmware yourself.
Exactly. Any “trust” in a proprietary thing is forceful and is not actual trust but should rather be called compulsion.
Maybe such devices are already available but otherwise it’ll be cumbersome to make and use but possible.
Nitro/Librem Keys storages are such devices, the only FOSS/H ones I am aware of.
Or you can protect yourself from a targeted attack and buy the consumer USB storage at some random store by yourself without using delivery. With this you can be almost certain that the USB storage couldn’t be used for a targeted attack on you but you’ll have to live with the probability of this USB storage containing some mass-targeted malware in its firmware.
Exactly. The latter is not impossible.
Make sure that this USB storage firmware can’t be infected while using it.
Always keep USB storage to yourself so other people can’t get a hold of it.
That excludes swimming and similar activities.
Use separate USB controller that will be used only to connect this USB storage and no other USB device will be connected to it.
Only if a second controller exists.
Maybe I’m not getting the question right.
You are.
If that’s the case then can you state some examples of a threat or more details to your question?
See:
A malicious USB storage device can contain a hidden partition, visible only to its own firmware, where malware can reside forever. We also have USBKill as a technical possibility.
Now you understand my concern in regards to booting from USB or having any USB devices connected at boot time. The inevitability of USB keyboards and mice (although undesired) actually seems more acceptable, as the firmware of those devices is far simpler and for economic reasons it seems less likely that an attacker would target those devices. BTW, I have seen a FOSS USB keyboard… it costed about $300.
I think we should consider the physical security of both USB storage and Qubes OS machine together. There is no point in protecting USB storage device stronger than Qubes OS machine itself.
If you leave your laptop at home and take the USB storage with you to go for a swim then you need to protect both the USB storage that will be with you and the laptop you’ll leave at home.
Physical device security is a complex question.
If your laptop has Thunderbolt ports then you can add external USB Host Controller.
If not then maybe consider using some Raspberry Pi, connect USB storage to it and then connect Raspberry Pi to your laptop using Ethernet.
If your laptop don’t have Ethernet port then you can use USB-Ethernet adapter for your laptop. But in that case you can’t boot from this USB device securely, only access files on it securely.
I’ve proposed this in the original topic, but we’re talking about using USB storage specifically.
SD card can have malware in its firmware as well: On Hacking MicroSD Cards « bunnie's blog
But compared to malicious USB storage it can’t act as any other device except for being SD card. So using SD card is more secure.
I think we should consider the physical security of both USB storage and Qubes OS machine together. There is no point in protecting USB storage device stronger than Qubes OS machine itself.
You mentioned it and I simply illustrated the potential impossibility (impracticality) of it.